defirisk.co
rubric v1.7.0

Bridge tracks nonce-consumed mapping

Spiko's assessment for RD-F-153 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

CCIP OffRamp implements sequence-based nonce tracking via INonceManager.incrementInboundNonce(). Nonce 0 allows out-of-order execution; non-zero nonces enforce in-order delivery and replay prevention. Replay attacks via nonce reuse are blocked.

Sources #

  • GitHub
    CCIP OffRamp.sol — code-423n4 audit repositoryOffRamp.sol: 'if (!INonceManager(i_nonceManager).incrementInboundNonce(sourceChainSelector, message.header.nonce, message.sender)) continue;' — nonce-consumed trackingretrieved 2026-05-16

Methodology #

Determine whether the bridge inbox maintains a nonce-consumed mapping and rejects replay of used nonces.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol spiko factor RD-F-153 score green collected_at 2026-05-15 22:52:13